agiliance whitepaper - six key steps

The Leader in IT Governance, Risk & Compliance Management

Six Key Steps for Effective IT Risk and Compliance ManagementTake practical steps and use technology to improve quality, efficiency, and value

Whitepaper

�© Agiliance, Inc.

Six Key Steps for Effective IT Risk and Compliance Management

Managing the confluence of IT governance, risk, and compliance

Information technology organizations are at the center of three critical business management challenges: Regulation and control, risk management, and cost reduction. Successfully meeting these challenges requires IT to manage several interdependent disciplines. IT organizations manage business critical applications, systems, and processes, and are major participants in keeping the business secure and productive. At the same time they are facing the responsibility for more regulations and corporate policies, multiplying audit requests, ever-present risks, continuous change to meet strategic business goals, and pressures to create new efficiencies and meet cost reduction goals. Within this context, management is asking several critical questions:

Are we compliant?

Are we focusing on the risks that really matter to the business?

Do we have a repeatable and sustainable process for risk and compliance?

Are we using time, people, and money efficiently?

The Key Steps

By taking practical, key steps and using technology, IT organizations can answer these questions. They can gain greater control over risk and compliance. They can improve their ability to proactively manage risk and business priorities. At the same time, they can realize efficiencies to manage cost. The key steps to employ are:

Capture the appropriate assets

Implement a common control framework

Automate survey workflow and technical testing

Quantify and analyze risk

Take appropriate actions to manage risk

Provide visibility to support informed decisions.

Not all the steps need be applied at once to achieve improved control, enhanced efficiency, and reduced cost. Start with an immediate project and broaden the scope of assets, regulations, and policies addressed in subsequent projects. By applying these key steps with technology, IT organizations and their companies can effectively:

Know their compliance position within the changing environment

Better understand and manage risk that matters

Effectively use current resources to assess and manage more compliance and risk requirements

Drive lower cost with sustainable processes and better quality information

Provide visibility to enable informed decisions at all organizational levels. IT organizations can take better advantage of the inter-relationships between risk and compliance,,achieve greater control over both, drive down cost, and make resources more productive.

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•



Key step 1: Capture the appropriate assets

In order to test controls and assess risks, organizations need to know which assets to include. Assets are any entity subject to a policy or control objective. These include people, processes and technology, as well as facilities and buildings. Assets can also include external services and third party vendors.

Build the asset inventory in two steps:

Collect asset information. Leverage the many databases, systems, and documents already holding asset information.

Classify and group assets by their attributes. Attributes are the characteristics and properties that describe an asset such as location, operating system, business process, division, the business owner and the like.

Document relationships and dependencies among the assets. For example, an application has a relationship with the computer it runs on and the data center wher e it resides.

Classify assets based on their criticality to the business and relevant business processes. For example, a consumer application that contains private customer information would most likely have a higher criticality ranking than a business application that contains no confidential information.

Profile each ass et for confidentiality, integrity, and availability risk.

Use an automated survey workflow tool to gather asset classification information and to provide up-to-date information for the assets under consideration. To capture the assets under consideration, use technology that supports:

Dynamic updates, bulk loading, and manual additions/changes

Automatic synchronization with the many existing systems already deployed

Assets belonging to more than one virtual group

Asset groupings enabling policies and their associated controls to be applied to a group as a whole

Dynamic addition of new assets to a group and their automatic inheritance of policies associated with that group

Support for on-the-fly group creation

Once assets, their classification information, and their virtual groupings are in the repository, as-sessment and audit assessment and audit managers can create projects that address just the set of assets under consideration, for example, just the business applications of the enterprise.

•

•

•

•

•

•

•

•

•

•

•

•



Key step 2: Implement a common control framework

Today, most regulations are managed independently. Because of the extensive overlap among regulatory policies, and therefore in policy controls, this approach is cumbersome and redundant. It is also complex and expensive.

While some organizations maintain custom control sets, others have been able to take advantage of standard frameworks such as COBIT, NIST, and ISO 17799/�7001. In some cases, organiza-tions apply a specific standard control framework to a specific regulation. Examples are: COBIT for Sarbanes-Oxley, NIST 800-5� for HIPAA, and FFIEC for GLBA. In others, they apply a mix of standards-based and custom controls. Using standard frameworks has aided organizations by reducing the overhead required to develop and maintain custom controls.

But there is still more benefit to realize. A significant number of specific control requirements are common across several frameworks. For example, COBIT- �, NIST 800-5�, and FFIEC share a significant number of common controls.

To further reduce cost and complexity and improve risk management effectiveness a key step is to employ a common control framework. By using a common control framework, one assessment, rather than multiple, will suffice to certify against any number of regulations.

A common control framework supports:

Mapping of controls from 17799/�7001, CO-BIT, COSO, NIST, FFIEC, and GAISP among others as well as custom-built con-trols to one common set of controls

Maintenance of the relationship between a common control and the corresponding regulation -specific control in the stan-dard simplifying change management.

In building a common control framework, use technology that:

Includes a broad and extensible content library that automatically maps regulatory policy to control rules.

Maps custom-built controls to the common control framework

Simplifies version control and change management

Provides views of the common control set through the filter of a particular regulation or internal policy set.

•

•

•

•

•

•

5© Agiliance, Inc.


The common control framework simplifies the process because there are fewer controls to test and independent assessments are unnecessary. Cost is lower as more work gets done faster with potentially fewer people. Now, the business can test once and certify against many regulations.

Key step 3: Automate survey workflow and technical testing

Commonly risk assessments and compliance testing use manual processes and personal inter-views. The tools are e-mail, paper and spreadsheets.

These manual processes and tools are difficult to manage and error prone. They are typically costly, time consuming, confusing and complex. Results become obsolete because manual test-ing per regulation is typically done only once a year and it is not practical to share results across regulations.

Automating survey workflow

Automate the survey process to increase the quality and timeliness of controls testing while sim-plifying the effort and lowering the cost. Use technology that not only automates the survey workflow but also provides the content necessary to build surveys.

Select technology that:

Provides an authoring tool to dynamically create and edit surveys

Supports the creation and implementation of automated workflow including :

The distribution of surveys to business or process owners and the collection and collation of data

Management of delegation and escalation, review and approval cycles, as well as reminders and user awareness/training

On-line help within the survey itself.

Survey process automation used with a common control framework and as-set repository can dramatically reduce errors, increase response quality, and cut the time to complete the survey work.

•

•

•

•

•



These benefits accrue to all involved, including project manage s, respondents, auditors, and management, allowing an increase in survey frequency for a nominal cost.

Integrating and automating technical controls

Computing assets, hardware, software, and the like, are generally subject to technical controls that can be monitored automatically. Automated testing can be performed frequently, even continuously.

Use a technology that easily integrates with already deployed systems such as scanners (for example, Nessus Security Scanner) and other monitoring systems (for example, Symantec Enterprise Security Manager™). Ensure that the automation technology can connect remotely without the use of an agent running on the servers or hosts to avoid the complexity and cost of managing hosted agents on large numbers of servers.

Coupling automated survey workflow and technical controls

Full automation, while desired, is not achievable. Many objectives depend on controls that involve a combination of manual and technical checks. However, by using a technology that supports both automated survey workflow and technical testing, and seamlessly combines the data from each, a truer view of risk and compliance is obtained. By combining the results of both methods the organization achieves a compliance and risk picture that is more complete, accurate, and up-to-date as well as less costly to develop.

Key step 4: Quantify and analyze risk

Business strategy and practice requires taking controlled risks based on the business’s risk tolerance and maximizing risk-adjusted returns.The same principles apply for managing IT risk and compliance.

By identifying and quantifying risk, organizations can make more informed decisions and take more appropriate actions.

To quantify risk, identify threats and vulnerabilities against assets, apply likelihood, exposure, and criticality measures, and calculate risk scores for the assets using established and accepted methodologies. Later, rather than treating everything the same, actions can be tailored ac-cording to an asset’s risk score and its potential damage and cost to the business.

Quality risk metrics support objec-tive analysis that drives better deci-sions; helps focus resources on the most important risks; and allows organizations to set objectives and track risk and compliance trends against these over time.

7© Agiliance, Inc.


To quantify risk use technology that:

Uses standard methodologies and well-accepted scoring guidelines from standards organizations such as BITS, ISO, and NIST to generate meaningful risk metrics

Accounts for risk propagated through asset dependencies, for example, the risk associated with the data center is propagated to applications that run inside it

Keeps risk and compliance scores current by using both automated technical testing and manual self-assessment at the appropriate frequency

Clearly traces risk to its cause, such as a failure of a particular control, a new unmitigated threat, or increase in risk of a related asset.

By using the right approach and technology a business can build a comprehensive, quantified pic-ture of risk, make informed decisions, and manage risk for the best business outcome.

Key Step 5: Take appropriate actions to manage risk

Risk scores provide decision-makers with insight and visibility. Once the business knows which risks matter, the next step is to take action to manage those risks. Actions include:

Transferring a risk to another entity

Avoiding a risk

Reducing the negative effect of a risk

Accepting some or all of the consequences of a risk.

In addition to using relative risk scores, IT organizations can employ economic impact measures such as the Annual Loss Expectancy (ALE) to further optimize allocation of its resources on prioritized risks.

Taking action on risk typically involves change management: A configuration change, a procedural change, or the development and deployment of a new policy and/or new controls to name a few. These changes must be defined, planned, approved, communicated, executed and verified.

Over time, the organization will see the effectiveness of its preventive and corrective actions through periodic risk assessments and controls testing as well as through its business results.

Select a technology that supports trouble ticketing and/or integrates easily with an existing trouble ticket management tool already in place. Ensure that the links between prioritized risk, actions and results can be tracked and completed.

Key step 6: Provide visibility to support informed decisions

The most up-to-date risk data is of little value to an organization if it cannot be communicated effectively to decision makers. Well-organized and effectively formatted information is powerful. Providing business owners, executives, and operational teams with access to the broad risk and control picture, laid out for easy viewing and interpretation, eliminates surprise and allows thought-ful action to address above-tolerance conditions.

•

•

•

•

•

•

•

•

8© Agiliance, Inc.


Use a comprehensive, intuitive, graphical web-based dashboard tool to build customized views for access by authorized users anywhere at any time. Choose technology that provides:

Access control and also integrate easily with enterprise directories as needed

Scheduled and dynamic reports and dashboards

Graphical display of summary information relevant to each user’s needs and role in the organization, for example, executive, business unit manager, analyst, and internal auditor

Capabilities to easily drill down to any level to ascertain root cause or explore underlying details.

Providing visibility through flexible, interactive dashboards supports:

Easier audits because reports are ready when needed

Better decisions at all levels because customized management and operational views are accessible any time, any place

Improved governance because executives get the big picture and the detail they need to drive policy down throughout the business as well as provide transparency up to the board level

Better learning and improvement because managers, organizations, and teams can see compliance and risk trends over time.

Continuous visibility into risk and compliance status and trends is a powerful tool to provide trans-parency to auditors, executives, and boards of directors as well as improve risk-adjusted business results and provide compliance peace of mind.

•

•

•

•

•

•

•

•

•

9© Agiliance, Inc.


The Benefits to IT Risk and Compliance Management

Information technology is a key business function standing at the center of the confluence of three critical management challenges:

Regulatory control

Risk management

Cost reduction.

Regulatory and policy requirements are escalating. Unknown threats and vulnerabilities lurk every-where. Continuous change to the environment, people, and processes are normal. Cost pressure is constant.

By applying some or all of the key steps and using a scalable, easily integrated technology platform, IT organizations can effectively meet these hard-to-control challenges, and, by doing so effectively manage the confluence of compliance, risk, and cost reduction. As a result they will:

Always know their compliance position continuously through time

Understand and manage risk that matters to the business

Effectively use current resource levels to manage growing risk and compliance requirements

Sustain lower cost through sustainable processes and better quality information

Provide visibility to enable informed decisions at all levels of the enterprise.

•

•

•

•

•

•

•

•

17�� North First Street Suite �00 San Jose, CA 9511�

p: �08.�00.0�00 f: �08.�00.0�01 www.agiliance.com

Agiliance, Inc.

10


IT organizations can start today, through the application of these key steps and technology, such as the Agiliance IT-GRC platform, to leverage the inter-relationships between compliance, risk, and cost reduction to drive results for the IT organization, the business at large, regulators, and other external stakeholders.

About Agiliance IT-GRC

The Agiliance IT-GRC platform is the first software product to comprehensively address the inte-grated requirements of Information Technology Governance, Risk, and Compliance. The Platform is explicitly designed to assist organizations to deliver compliance peace of mind, manage risk, and reduce costs by:

Streamlining the management of policies and controls through standards and a common control framework

Automating survey workflow and technical testing

Integrating easily with existing systems to connect previously isolated elements into a comprehensive and productive environment for compliance and risk management

Quantifying and prioritizing risk to support informed decisions and actions

Providing up-to-date, broad visibility and transparency to managers, executives, and operational teams leading to enhanced governance and business decision-making

The Agiliance IT-GRC platform is an indispensable tool for managing IT governance, risk, and compliance with less time, at a lower cost, and with more effectiveness.

•

•

•

•

•

agiliance whitepaper - six key steps

Technology

risk management

risk compliance management

group assets

risk requirements

availability risk

asset information

scope of assets

deployed assets